zerosleeps

This article by Dan Goodin at Ars Technica is pretty good. I grumbled about one aspect of this in October: tying authentication to a particular device isn’t going to work.

While I’m complaining, I have accounts with half-a-dozen services that offer passkey authentication and they all do it differently. For example:

• Fastmail does it properly: I visit the login page and instruct my password manager to sign in with passkey. Done. It’s delightful.
• LinkedIn does this as well but still prompts for a one-time password on the next screen, which seems… redundant.
• Amazon will only let me present my passkey once I’ve entered my username, and then they ask for a one-time password as well. 3 screens. What’s the fucking point? The user experience does not benefit at all.

But here’s Goodin on the thing that all of these services still do:

Of the hundreds of sites supporting passkeys, there isn’t one I know of that allows users to ditch their password completely. The password is still mandatory. … This fallback on phishable, stealable credentials undoes some of the key selling points of passkeys.

The more I think about it the more I reckon this is why passkeys aren’t going to solve anything. Users forget their username/email address/password all the time, so there’s no reason to assume passkeys won’t be misplaced all the time as well. That means we still need to build account recovery processes, and it doesn’t matter which way you cut it, something in that process has to send an email or ask a question or send a code or something, utterly defeating many of the technical benefits of a passkey.